New Sybase Privilege Escalation Vulnerabilities Discovered

December 2, 2002

Patches for three new privilege escalation vulnerabilities have been released for Sybase Adaptive Server 12 and 12.5. The vulnerabilities create buffer overflows that can be abused by non-privileged users to gain privileges and execute arbitrary code using the elevated privileges. The risk level for these vulnerabilities is considered high by the team that discovered the flaws, the Application Security, Inc. SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) Team.

Here's a brief synopsis of the three vulnerabilities:

xp_freedll Buffer Overflow . An extended stored procedure (ESP) called xp_freedll in the database sybsystemprocs is used to release a DLL that has been loaded by another extended stored procedure. A buffer overflow vulnerability exists that, when an argument of more than 45 characters is passed to xp_freedll, could allow an attacker to run arbitrary code under the security context of the extended stored procedure server. Examples of overflowing the xp_freedll ESP buffer are available at http://www.appsecinc.com/resources/alerts/sybase/02-0003.html.

DBCC CHECKVERIFY Buffer Overflow. A Sybase Adaptive Server built-in function called DBCC CHECKVERIFY is used to verify the results of the most recent run of dbcc checkstorage. A buffer overflow vulnerability exists that could allow an attacker to run arbitrary code under the security context of the database. Here's an example of overflowing the DBCC CHECKVERIFY buffer using the SQL tool isql.exe:

DROP DATABASE Buffer Overflow. A Sybase Adaptive Server built-in function called DROP DATABASE is used to remove a database from the server. A buffer overflow vulnerability exists that could allow an attacker to overwrite the stack and execute arbitrary code under the security context of the server. Here's an example of overflowing the DROP DATABASE buffer using the SQL tool isql.exe: